IN THE CLAIMS 



1. (Currently Amended) In a distributed network of interconnected 
computing devices, a network virus monitor, comprising: 

a virus sensor operable in a number of modes arranged to detect a computer 
virus in the network such that the bandwidth of the network is substantially 
unaffected in a first mode in that data packets are not removed from or added to 
network traffic, but are copied creating copied data packets which are analyzed for 
the computer virus , and wherein when the virus sensor detects the computer virus, 
the virus sensor switches to a second mode, wherein original data packets are 
analyzed and the data packets are not copied and wherein a subset of data packets 
determined to be infected or suspected of being infected are not returned to the 
network and wherein the virus monitor is able to collect network environment data 
and assign an IP address to itself, and wherein the virus monitor locates a 
controller in the network and registers itself with the controller, from where the 
virus monitor receives a rule set and an outbreak prevention policy (OPP). 

2. (original) A monitor as recited in claim 1, further comprising: 

a traffic controller coupled to the virus sensor and the network arranged to 
select certain data packets wherein the selected data packets are forwarded to the 
virus sensor. 

3. (Previously Amended) A monitor as recited in claim 2, wherein the traffic 
controller further comprises: 
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a data packet copier operable in the first mode and arranged to generate a 
copied data packet of each of the selected data packets wherein the selected data 
packets are returned to the network. 

4. (Previously Amended) A monitor as recited in claim 3 wherein the data 
packet copier is disabled in the second mode such that the selected data packets are 
passed to the virus sensor. 

5. (Previously Amended) A monitor as recited in claim 4, wherein the virus 
monitor further comprises: 

a data packet protocol identifier coupled to the virus sensor arranged to 
identify a data packet protocol associated with the data packet infected by a 
computer virus. 

6. (original) A monitor as recited in claim 5, wherein the selected data 
packets are each associated with the data packet protocol associated with the 
computer virus such that only those data packets associated with the identified data 
packet protocol are selected from the network. 

7. (original) A monitor as recited in claim 1 wherein the virus sensor unit 
further comprises: 

a filescan module arranged to scan a selected file for the computer virus. 

8. (Previously Amended) A monitor as recited in claim 7, wherein the 
filescan is remotely located. 
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9. (Previously Amended) A monitor as recited in claim 8, wherein the 
remotely located filescan is used for scanning large selected files. 
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10. (Currently Amended) A method of monitoring a distributed network of 
computing devices for a computer virus at a virus monitor coupled to the 
distributed network, comprising: 

monitoring a flow of data packets in the network for the computer virus 
without substantially reducing the flow of data packets, wherein data packets a^e- 
not removed from or added to network traffic, but are copied creating copied data 
packets which are analyzed for the computer virus , thereby preserving network 
bandwidth in a standby mode; 

determining that at least one of the monitored copied data packets is infected 
or suspected of being infected with the computer virus; 

monitoring the flow of data packets in an inline mode wherein original data 
packets are analyzed and wherein data packets that are determined i*e± to be 
infected or suspected of infection are not returned to the flow of data packets; 

collecting network environment data; 

assigning an IP address to the virus monitor itself ; and 

locating a controller in the network and registering the virus monitor i4setf 
with the controller, from where the virus monitor receives a rule set and an 
outbreak prevention policy (OPP). 

11. (original) A method as recited in claim 10, further comprising: 

isolating a portion of the network infected by the computer virus; and 
cleaning the isolated portion of the network. 

12. (original) A method as recited in claim 10, further comprising: 

sending a virus report to a controller. 
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13. (original) A method as recited in claim 10, further comprising: 
copying selected ones of the flow of data packets from corresponding 

original data packets retrieved from the flow of data packets based upon a packet 
type; and 

returning the retrieved data packets to the flow of data packets. 

14. (original) A method as recited in claim 13, wherein the packet type is 
determined by the detected computer virus. 

15. (original) A method as recited in claim 14, wherein a network bandwidth 
associated with the standby mode is substantially unaffected by the monitoring. 

16. (cancel) 
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17. (Currently Amended) A computer-readable medium storing computer 
code Computer program product for monitoring a distributed network of computing 
devices for a computer virus at a virus monitor coupled to the distributed network^ 
the computer-readable medium capable of executing computer code , comprising: 

computer code for monitoring a flow of data packets in the network for the 
computer virus without substantially reducing the flow of data packets, wherein 
data packets are not removed from or added to network traffic, but are copied 
creating copied data packets which are analyzed for the computer virus , thereby 
preserving network bandwidth in a standby mode; 

computer code for determining that at least one of the monitored copied data 
packets is infected or suspected of being infected with the computer virus; 

computer code for monitoring the flow of data packets in an inline mode 
wherein original data packets are analyzed and wherein data packets that are 
determined »e£ to be infected or suspected of infection are not returned to the flow 
of data packets; 

computer code for collecting network environment data; 

computer code for assigning an IP address to the virus monitor itself ; and 

computer code for locating a controller in the network and registering the 
virus monitor i-teetf with the controller, from where the virus monitor receives a 
rule set and an outbreak prevention policy (OPP) ; and 

computer readable medium for storing the computer code . 

18. (currently amended) A computer-rea program 
product as recited in claim 17, further comprising: 
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computer code for isolating a portion of the network infected by the 
computer virus; and 

computer code for cleaning the isolated portion of the network. 



19. (currently amended) A c p m p u t e r- r e a d a b 1 e me diu m Computer program 
product as recited in claim 17, further comprising: 

computer code for sending a virus report to a controller. 

20. (currently amended) A computer-re Computer program 
product as recited in claim 17, further comprising: 

computer code for copying selected ones of the flow of data packets from 
corresponding original data packets retrieved from the flow of data packets based 
upon a packet type; and 

computer code for returning the retrieved data packets to the flow of data 
packets. 

21. (Currently Amended) A cpmputer-re Computer program 
product as recited in claim 20, further comprising: 

computer code for determining the packet type using the detected computer 

virus. 

22. (Currently Amended) A. computer-read Computer program 
product as recited in claim 21, wherein a network bandwidth associated with the 
standby mode is substantially unaffected by the monitoring. 

23. (Cancel) 
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